cybersecurity for direct digital manufacturing- proceedings

NISTIR 8041

Proceedings of the Cybersecurity for

Direct Digital Manufacturing (DDM)

Symposium

Celia Paulsen

This publication is available free of charge from:

http://dx.doi.org/10.6028/NIST.IR.8041

NISTIR 8041

Proceedings of the Cybersecurity for

Direct Digital Manufacturing (DDM)

Symposium

Celia Paulsen

Computer Security Division

Information Technology Laboratory

This publication is available free of charge from:


April 2015

U.S. Department of Commerce Penny Pritzker, Secretary

National Institute of Standards and Technology

Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director

ii

National Institute of Standards and Technology Internal Report 8041 143 pages (April 2015)

This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.8041

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommendation or

endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best

available for the purpose.

There may be references in this publication to other publications currently under development by NIST in

accordance with its assigned statutory responsibilities. The information in this publication, including concepts and

methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus,

until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain

operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of

these new publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at http://csrc.nist.gov/publications.

Comments on this publication may be submitted to:

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: [email protected]

http://csrc.nist.gov/publications

iii

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and

Technology (NIST) promotes the U.S. economy and public welfare by providing technical

leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test

methods, reference data, proof of concept implementations, and technical analyses to advance

the development and productive use of information technology. ITL’s responsibilities include the

development of management, administrative, technical, and physical standards and guidelines for

the cost-effective security and privacy of other than national security-related information in

Federal information systems.

Abstract

Direct Digital Manufacturing (DDM) involves fabricating physical objects from a data file using

computer-controlled processes with little to no human intervention. It includes Additive

Manufacturing (AM), 3D printing, and rapid prototyping. The technology is advancing rapidly

and has the potential to significantly change traditional manufacturing and supply chain

industries, including for information and communication technologies (ICT).

On February 3, 2015, the National Institute of Standards and Technology (NIST) Information

Technology Laboratory (ITL) Computer Security Division hosted a one-day symposium to

explore cybersecurity needed for DDM, to include ensuring the protection of intellectual

property and the integrity of printers, elements being printed, and design data. Speakers and

attendees from industry, academia, and government discussed the state of the industry,

cybersecurity risks and solutions, and implications for Information and Communications

Technology (ICT) supply chain risk management.

Keywords

3D Printing; Additive Manufacturing; Cyber Physical Systems; Cybersecurity; Direct Digital

Manufacturing; Industrial Control Systems; Information Security

iv

Acknowledgements

The NIST Information Technology Laboratory would like to acknowledge Kevin Jurrens,

Richard Ricker, Kim Schaffer, and Bill Newhouse of NIST for their contributions in putting

together this symposium. NIST would also like to acknowledge each of the presenters for their

participation.

NISTIR 8041 Proceedings of the Cybersecurity for DDM Symposium

v

Executive Summary

Information Technology has increasingly been incorporated into every segment of the

economy. In manufacturing, the basic technology of Direct Digital Manufacturing

(DDM) been around for dozens of years. This involves the creation of a physical object

from a digital design using computer-controlled processes with little to no human

intervention. With the popularization and advancement of Additive Manufacturing (AM)

and 3D printing, it is becoming much more common. These technologies have the

potential to significantly change traditional manufacturing and supply chain industries,

including information and communications technologies (ICT).

On February 3rd, 2015, the NIST Information Technology Laboratory (ITL) Computer

Security Division hosted a one-day symposium to explore the cybersecurity aspects of

DDM. There were approximately 50 attendees from government, industry, and academia

representing a broad array of DDM practitioners, cybersecurity professionals,

researchers, and manufacturing innovation organizations.

During the symposium, speakers and attendees discussed DDM cybersecurity risks,

challenges, solutions, and implications for ICT supply chain risk management. Although

the presenters were all from diverse backgrounds representing a variety of viewpoints,

each had similar arguments:

Cybersecurity risks to DDM are very real;

Cybersecurity threats have the potential to disrupt the manufacturing revolution;

There is real opportunity to improve the security of the manufacturing supply

chain, and

The time to build cybersecurity in to the DDM process is now.

During discussions and the concluding working session, participants generally agreed

that the biggest challenge to building cybersecurity into DDM is culture. Organizations –

especially small businesses - may not recognize that AM or 3D printing devices have any

cybersecurity risks and may be unwilling to compromise efficiency for security. Other

key areas discussed included cost-effective technological capabilities, technical

standards, and general guidance. While several existing technical standards were

identified, most were not specific to cybersecurity in DDM. Attendees noted that

technical and standards-based solutions for DDM are limited and do not address the

rapid, changeable, and distributed manufacturing environment of the future. NIST SP

800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and

Organizations[1], and the NIST Framework for Improving Critical Infrastructure

Cybersecurity[2] were identified as potential starting points for developing risk

management guidance for DDM.

.


vi

Table of Contents

Executive Summary ......................................................................................................... v

1 Overview .................................................................................................................... 1

2 Abstracts and Presentations ........................................................................................ 2

Welcome ...................................................................................................................................2

James St. Pierre

Deputy Director of the Information Technology Laboratory (ITL), NIST

Invited Talk ..............................................................................................................................2

Michael F. Molnar

Director, NIST Advanced Manufacturing Program Office

Director, Advanced Manufacturing National Program Office (AMNPO)

Presentation ..............................................................................................................4

Presentation 1: An Analysis of Cyber Physical Vulnerabilities in Additive

Manufacturing ........................................................................................................................19

Christopher B. Williams

Associate Professor, Virginia Tech Department of Mechanical Engineering

Abstract ..................................................................................................................20

Presentation ............................................................................................................22

Presentation 2: Applying and Assessing Cybersecurity Controls for Direct Digital

Manufacturing Systems ..........................................................................................................51

Scott Zimmerman, CISSP-ISSEP

Principal IT Advisor, Concurrent Technologies Corporation (CTC)

Dominick Glavach, CISSP, GCIH

Principle Fellow, Information Systems Security Engineer, CTC

Abstract ..................................................................................................................52

Presentation ............................................................................................................55

Presentation 3: Cybersecurity for Advanced Manufacturing – Securing the Digital

Thread ....................................................................................................................................65

Dr. Michael F. McGrath

NDIA Manufacturing Division

Abstract ..................................................................................................................66

Presentation ............................................................................................................67

Panel: Opportunities for Secure 3D Printing .........................................................................65

Robert Zollo (moderator)

President, Avante Technology


vii

Abstract ..................................................................................................................76

Presentation ............................................................................................................77

Dr. Claire Vishik

Trust and Security Technology and Policy Director, Intel Corporation

Presentation ............................................................................................................90

Andre Wegner

Founder, CEO at Authentize

Presentation ............................................................................................................98

3 Summary of Attendee Perceptions .......................................................................... 118

4 Conclusions ............................................................................................................ 120

List of Appendices

Appendix A— Response Sheet Results .................................................................. A-1

Appendix B— Working Session Results ................................................................. B-1

Appendix C— Biographies ....................................................................................... C-1

Appendix D— Attendee List ..................................................................................... D-1

Appendix E— Acronyms ...........................................................................................E-1

Appendix F— References .......................................................................................... F-1


- 1 -

1 Overview

Direct Digital Manufacturing (DDM) involves fabricating physical objects from a data file using

computer-controlled processes with little to no human intervention. Traditionally, these

technologies have not been widely adopted, but with the popularization of Additive

Manufacturing (AM) and 3D printing, they are becoming increasingly common. These

technologies are advancing rapidly and have the potential to significantly change traditional

manufacturing and supply chain industries, including for information and communication

technologies (ICT).

On February 3, 2015, the National Institute of Standards and Technology (NIST) Information

Technology Laboratory (ITL) Computer Security Division hosted a one-day symposium to

explore the cybersecurity aspects of DDM, to include ensuring the protection of intellectual

property and the integrity of printers, elements being printed, and design data.

There were approximately 50 attendees from government, industry, and academia representing a

broad array of DDM practitioners, cybersecurity professionals, researchers, and manufacturing

innovation organizations. During the symposium, speakers and attendees discussed cybersecurity

risks, challenges, solutions, and implications for Information and Communications Technology

(ICT) supply chain risk management.

The agenda contained an invited talk, four presentations, and a panel discussion that exemplified

diverse perspectives. A concluding working session captured the viewpoints of the attendees in

several key areas. In addition, attendees provided inputs on the risks, challenges, existing

solutions, and potential/theoretical solutions for cybersecurity in DDM. Responses focused

around culture / humans, threats to the integrity of design, technological capabilities – especially

around quality control and event detection, and guidance specific to cybersecurity in DDM.

The remainder of this publication is structured as follows:

Section 2 contains a summary of each presentation, and speaker submitted abstracts

and presentations where applicable. Presentations are included in the order they were

given during the symposium.

Section 3 contains an analysis of attendee perceptions based on completed attendee

handouts / response sheets and the concluding working session.

Section 4 presents conclusions, including possible future steps and recommendations.

Appendix A contains data from completed handouts / response sheets.

Appendix B contains data collected during the concluding working session

Appendix C contains biographies of the presenters as contained in the agenda.

Appendix D lists acronyms used throughout the document.


- 2 -

2 Abstracts and Presentations

This section contains a brief summary of each presentation along with the abstracts speakers

submitted, when applicable, and any slides used. Presentations in this section are listed in the

order they were given during the symposium.

Welcome

James St. Pierre

Deputy Director of the Information Technology Laboratory (ITL), NIST

Key Points:

NIST’s mission is to promote “U.S. innovation and industrial competitiveness.”

Safeguarding the “digital threads” of the manufacturing process is critical to

promoting innovation and industrial competitiveness.

The core principles of NIST’s ITL efforts include collaboration, openness, and

transparency.

We welcome the opportunity to collaborate to identify risks, challenges, gaps and

opportunities as we look to “build security in” to the direct digital manufacturing

processes and discuss ways forward.

Invited Talk

Michael F. Molnar



Key Points:

The first two manufacturing revolutions were about bringing capabilities together.

The third and current manufacturing revolution is about new capabilities – creating

things we never could have before.

Misconceptions about manufacturing include that it is “dirty and declining,”

meaning it may not be an attractive job field.

Manufacturing plays a central role in the U.S. economic base.

In 2013, the National Network of Manufacturing Innovation (NNMI) was created

with bi-partisan support to advance the US’s manufacturing capabilities.

The Revitalize American Manufacturing Innovation (RAMI) Act of 2014 (H.R.

2996/S. 1468) calls for open-topic proposals for creating additional NNMI

institutes. Currently 8 are planned with a goal of 45 total.


- 3 -

Ed Morris was invited to speak about the first pilot NNMI institute - America

Makes. He spoke about how they examined cyber implications and how advanced

manufacturing would not exist without the digital component.

Dean Bartles was invited to speak about the second pilot NNMI institute – the

Digital Manufacturing and Design Innovation Institute (DMDII) in Chicago,

Illinois. The DMDII focuses on digital design solutions and that cybersecurity

ranked among the top five concerns of manufacturing leaders. DMDII Project Call

15-01 is specifically focused on cybersecurity and closes March 20, 2015.

With digital manufacturing, the U.S. is regaining its focus on manufacturing and

raising a new generation of makers.


- 4 -

Presentation:


- 5 -


- 6 -


- 7 -


- 8 -


- 9 -


- 10 -


- 11 -


- 12 -


- 13 -


- 14 -


- 15 -


- 16 -


- 17 -


- 18 -


- 19 -

Presentation 1: An Analysis of Cyber Physical Vulnerabilities in Additive Manufacturing



Key Discussion Points:

Current research in Cyber Physical Systems is focused on Supervisory Control and

Data Acquisition (SCADA) systems, but Additive Manufacturing is different.

Researchers were able to intercept a job initialization file and decode it, allowing

attackers to potentially alter printer parameters mid-print. The STL (or newer

AMF) standard files are especially vulnerable to attacks which alter a design.

The presenters described an experiment run on students at Virginia Tech. Seven

groups of students were given an “extra credit” assignment to design a standard dog

bone, print it, and test it. An exploit was easily developed which inserted a void in

the STL file. Students failed to recognize any anomalies prior to printing and

testing. No students correctly diagnosed the anomalies as a cybersecurity problem.

Recommendations include improved quality control processes, hashing, improved

process monitoring, and operator training.

Some attendees commented that other forms of manufacturing have similar

vulnerabilities.

Cybersecurity solutions should be built under the assumption that manufacturers

are not cybersecurity experts.


- 20 -

An Analysis of Cyber-Physical Vulnerabilities in

Additive Manufacturing Logan Sturm1, Christopher B. Williams1, Jaime A. Camelio2, Jules White3, Robert Parker4

1Department of Mechanical Engineering, 2Department of Industrial & Systems Engineering, 3Department

of Computer Science 1,2Virginia Tech, 3Vanderbilt University, 4VT-ARC

1,2,4Blacksburg, VA, USA

Keywords—Additive Manufacturing; 3D Printing;

Cyber/Physical security

EXTENDED ABSTRACT

While the “digital thread” of advanced

manufacturing technologies enables a more

efficient design process, it also presents

opportunities for cyber-attacks to impact the

physical word. A cyber-attack on manufacturing

systems could cause injury to plant workers and

damage to the machine itself. More insidiously, an

attack could be designed to cause a process to

produce faulty parts that might find their way into

end-user products. With the rise in both the

number of cyber-physical systems connected to

networks and in malicious cyber-attacks, there is a

clear need for research to understand the

vulnerabilities of cyber-physical systems. While

methods exist for detecting cyber-attacks on

computer systems, no such research has been done

on detecting an attack from the physical parts

created by the attack.

In this work, the authors scope their research

solely on Additive Manufacturing (AM; also

referred to as “3D Printing”) technologies. The

AM process chain has unique vulnerabilities that

warrant a detailed investigation due to their ability

to fabricate parts in a layer-wise fashion. Because

of the potential damage from a cyber-physical

attack, there is a need to look at AM systems to

determine what vulnerabilities exist and how to

prevent and mitigate the threat of cyber-attacks.

The digital nature of the AM process chain

provides an opportunity for a cyber-attack to cross

into the physical world. There are four main steps

on the process chain where an attack could take

place: the CAD model, the .STL file, the toolpath

file, and the physical machine itself. While the

authors will discuss attack vectors at each of these

steps within the process chain, their focus will be

on vulnerabilities within the .STL file as it is the

one vulnerability that does not require specific

modification for an individual AM machine. As

STL file creation occurs at the beginning of the

process chain and the file format is standardized

across every AM machine, a focused attack could

have severe implications across an AM production

line regardless of the machine type or

manufacturer.

The current defacto standard in AM, the STL

file only contains the surface information of the

part. This information is stored as a list of

triangular elements (specified by the a set of x,y,

and z coordinates of three vertices) in ASCII or

binary format. An attack that simply edits the STL

file could subtly alter the part geometry. STL file

edits/attacks could take the form of (i) part scaling,

(ii) surface indents or protrusions, (iii) vertex

movement, and (iv) insertion of internal voids

within the part. While most of these vectors affect

the surface of the part geometry – and thus could

possibly detected using standard quality control

dimensional measurements – the void attack is

completely enclosed inside the model. Because of

this, such an attack would be undetectable by

dimensional measurements and may be difficult or

impossible to find visually. The use of supporting

material in many processes also renders the void

undetectable by weighing, since the void is filled

with a structurally deficient, but equivalently

dense material.

To ascertain the potential impact of this

specific attack, two experiments were performed.

First the authors evaluated the effect of a “printed

void” on the mechanical strength of a printed

specimen. Several ASTM Standard D638-10

tensile test specimens with and without voids were

printed on via Powder Bed Fusion (a Sinterstation


- 21 -

2500 Plus machine) using Nylon 12 powder. Upon

testing, all of the specimens containing voids

fractured at the void location, while the specimens

without voids failed normally. The average

reduction in yield load was 14%, from 1085N to

930N, and the strain at failure was reduced from

10.4% to 5.8%.

Second, a case study was performed to

determine the feasibility of a cyber-attack on a

simple AM system and to evaluate the ability of

AM operators to detect an attack. In this

experiment, upper-level and graduate engineering

students were challenged to manufacture and test a

tensile test specimen. Unknown to the participants,

the computer used was infected with .STL attack

software that automatically inserted voids into

their files before fabrication. Upon completion of

the printing, none of the participants detected the

presence of the voids in their parts. Upon breaking

the part, all participant teams identified that their

parts failed prematurely. Two teams detected the

presence of a void at the fracture location;

however both of these teams concluded that the

placement was due to problems with the machine.

Two teams did not notice the voids and attributed

the failure to the anisotropic nature of additively

manufactured parts.

Based on the results of this study, it appears

that a real threat from cyber-physical attacks exists

and that further research needs to be done on how

to mitigate such attacks. The inclusion of software

checks, hashing, process monitoring, and worker

training are proposed as methods of reducing these

threats. Future work includes the development of

physical hashing techniques and of improved side

channel process monitoring and control.


- 22 -

Presentation:


- 23 -


- 24 -


- 25 -


- 26 -


- 27 -


- 28 -


- 29 -


- 30 -


- 31 -


- 32 -


- 33 -


- 34 -


- 35 -


- 36 -


- 37 -


- 38 -


- 39 -


- 40 -


- 41 -


- 42 -


- 43 -


- 44 -


- 45 -


- 46 -


- 47 -


- 48 -


- 49 -


- 50 -


- 51 -

Presentation 2: Applying and Assessing Cybersecurity Controls for Direct Digital Manufacturing Systems

Scott Zimmerman, CISSP-ISSEP


Dominick Glavach, CISSP, GCIH



Digitization of manufacturing increases the risks for theft, disruption, and sabotage.

There are vulnerabilities in preproduction software, data storage and data transfers,

the StereoLythography (STL) file format, printer components, and engineering /

production practices.

The presenters discussed their experience with obtaining a 3D printer and the

cybersecurity challenges experienced when setting it up.

Many AM machines contain old firmware, cannot be patched easily, and have poor

authentication processes. It was commented that this is not unusual for

manufacturing systems.

The AM process is also complex, variable / changeable, and tends to leave a lot of

residual data in various places, making cybersecurity without interfering with

functionality a challenge.

There is a significant opportunity to be proactive rather than reactive regarding

cybersecurity due to the nature of the technology and the state of the industry. The

authors presented several recommendations for cybersecurity controls and

highlighted the value of traditional cybersecurity controls such as firewalls.

Participants stressed the need for focusing on people – a recent attack was

described that began with a phishing scam. One participant commented that

manufacturers and users are not security aware, yet DDM supports minimal digital

knowledge - any security solution needs to be simple and usable.


- 52 -

Applying and Assessing Cybersecurity Controls

for Direct Digital Manufacturing Sytems

Scott Zimmerman, CISSP-ISEP

Concurrent Technologies Corporation

Johnstown, PA USA

[email protected]

Dom Glavach, CISSP

Concurrent Technologies Corporation

Johnstown, PA USA

[email protected]

Abstract – Applying meaningful and assessing

impactful cybersecurity controls are ongoing and

significant challenges for the Direct Digital

Manufacturing (DDM) Community. These issues

will be significant as the technology moves into

the mainstream manufacturing supply chain. This

presentation will, therefore, address cybersecurity

threats to DDM, including insight into potential

attack scenarios and motivations, gained through

direct observations. We will discuss the details of

a security assessment performed on an Additive

Manufacturing (AM) system used for rapid

prototyping and complex part production within

the defense industry. Protocols and associated

recommendations for incorporating security best

practices during system installation and

subsequent operation will also be presented.

Keywords—additive manufacturing, cybersecurity,

direct digital manufacturing, programmable logic

controllers

1 INTRODUCTION

Based on the expectation and potential impact in

revitalizing the U.S. and global manufacturing

landscape, Direct Digital Manufacturing (DDM),

including Additive Manufacturing (AM) and other

similarly disruptive technologies, will have a

significant impact on national security. According

to the National Defense University, “The

propagation of this technology has generated a

host of national security considerations, which

connect to broader economic and policy

developments…. Additionally, the deployment of

AM technologies in manufacturing will likely

promote greater interaction between the national

security community and the private sector, as

businesses will be able to produce prototypes and

sophisticated components more inexpensively and

quickly than before.” 1 While supply chain

implications and benefits are numerous,

cybersecurity remains a significant challenge.

The Economist (April 2012) refers to the potential

for DDM to create the third industrial revolution2,

noting that the disruption to manufacturing will be

as significant as digitization was to

telecommunication, office equipment,

photography and publishing. While digitization

creates an incredible growth potential within

manufacturing, it also comes with many of the

associated cybersecurity risks that impact other

digitized industries.

Due to the potential economic and security

implications of DDM, the industry is challenged to

address cybersecurity risks in a timely way and

develop standards, systems and processes for

security before such wide scale adoption of the

technology limits, or prohibits, the deployment of

protection mechanisms. The negative impacts of

failure to include security protocols at start-up can

be seen within the power and energy sector, which

has large deployments of programmable logic

controllers (PLC) and supervisory control and data

acquisition (SCADA) systems. At the time of

design and deployment, these systems were not

equipped with adequate security mechanisms to

contend with the threats of the connected world in

the current environment. Now these systems are

so tightly woven into the fabric of the power grid,

retrofitting security is a much larger task than if it

had been tackled in the beginning.


- 53 -

2 CHARACTERIZING THE THREAT

The technical advances and economic impact

associated with the DDM revolution attracts an

innovative and entrepreneurial audience. History

illustrates that new technologies have a tendency

to influence a criminal opportunity via unexpected

exploitation avenues. From the stagecoach to

smart thermostats, security has often been an

afterthought in new technology design and

implementation. Hathaway states that corporate

and government leadership are reactive in nature

to cybersecurity needs and only act to mitigate

security issues after a significant event occurs.

She further concludes that additional legislation

may be needed to incentivize corporate and

government leadership to get serious about

cybersecurity.3

The complexity and critical nature of some

products being produced by DDM, ranging from

fuel nozzles to human organs, render these

systems obvious targets for cyber criminals,

espionage actors, or digital activist groups.

Regardless of motivation, gaining access to an

industrial DDM system is not a trivial action and

requires an intricate, but likely, attack scenario,

resulting in one of the following:

1. Theft (processes and property)

2. Disruption (slowing or stopping the DDM

process)

3. Sabotage (inserting unforeseen time-delayed

failures)

The combination of system complexity,

installation methods and manner in which digital

models become manufactured objects create a

large attack surface. The proposed presentation

explores possible attack scenarios and associated

risk evaluations in the areas of:

1. Model file formats

2. Data storage and transfers

3. Printer components software and firmware

4. Preproduction software

5. Engineering and production practices

3 SECURITY ASSESSMENT RESULTS

System Installation

With the opportunity to conduct a security

assessment on a newly installed AM system, we

have identified risks at the inception; it begins

with internal coordination and communications

between enterprise Information Technology (IT)

and shop floor personnel. In general, the focus

and priority of the

materials/manufacturing/engineering staff are

installation and operation, which includes

connection to the internal and possibly an external

network, so the relevant parts can be produced.

Their initial concerns are not about how to make

this system secure.

In the particular case under consideration, the AM

equipment was delivered to the ‘manufacturing’

floor, unboxed and set up all without the

awareness of the IT department. Once installed,

the AM engineering team connected with the

Enterprise Help Desk and requested “…can you

help connect our new printer to the network?”

Unwittingly, the request was executed. Needless

to say, the original equipment manufacturer

(OEM) was unable to connect to the AM

equipment, since it was behind the corporate

firewall. Subsequent requests were submitted to

the Enterprise Help Desk requesting OEM access

to the equipment through the Internet for fine-

tuning. The printer was transferred to an open

Internet connection normally provided to

corporate guests. This channel is monitored yet it

has minimal shielding. It was only after

subsequent investigation by the information

security team that it became clear that the “printer”

was in fact a metal DDM system, not a typical

office document printer. Following this discovery,

the security team has moved the printer to a secure

and scrutinized subnet on the network. Now,

additional security controls and enhanced logging

occur routinely and yet where it is still possible for

the engineering team to work directly through the

network with the manufacturer.

Assessment Methodology

AM systems can be complex, consisting of several

central processing units (CPU) and PLCs,

operating systems, and applications (including

both AM-specific ones as well as applications that

support the user experience, such as web-browser

and Portable Document Format (PDF) readers).

The CPU/PLCs communicate via standard

network protocols such as TCP/IP within the

printer and then to a gateway interface for larger

network access. The operating systems and


- 54 -

applications on these controllers process design

data to produce 3D components.

We deployed both the corporate security

assessment methodology as well as the security

risk assessment provided in the NIST DRAFT

NISTIR 8023, Risk Management for Replication

Devices. We will present and discuss specific scan

results and findings. In addition, we will propose a

series of security protocols as best practices for

any DDM system implementation. We list a

selection of possible solutions below and we will

expand on the requirements for success in this

presentation.

Recommendations

Mandatory scanning (enumeration) of system

prior to deploying to the network and disable

all unneeded communications/system

processes,

Review of user accounts/groups on the system

including their level of privilege and adjust

accordingly,

Removal of all unneeded applications installed

on the system (browsers, readers, games, etc.),

Enable host based firewall to allow

communication via secure ports to know IP

addresses for manufacturer communications

(disable this connectivity when not in use)

Processes developed for system

updates/upgrades

Conclusion

High-end AM printers are expensive, highly

calibrated machines, increasingly complex, and

generally not ‘plug-and-play’ systems. With

respect to the system discussed in this

presentation, there has been a great deal of

ongoing support from the OEM in order to

optimize printer operational performance. This

type of support requires remote connectivity to the

system. When the manufacturer is a foreign entity,

this situation compounds security challenges and

complicates protocols due to the need to comply

with International Traffic in Arms (ITAR)

regulations that may prohibit collaborations. At a

minimum, many security assessment protocols and

mitigation procedures implemented typically for

enterprise business systems should be applied or

adapted for implementation and operation of DDM

systems.

REFERENCES

C.M. McNulty, N. Armas, “Toward the Printed World: Additive Manufacturing and Implication for National Security,” September 2012 Institute for National Strategic Studies, National Defense University, Defense Horizons

The Economist, “A third industrial revolution”. Accessed November 2014, http://www.economist.com/node/21552901

M.E. Hathaway, “Leadership and Responsibility for Cybersecurity”, Georgetown Journal of International Affairs, pages 71-80, March 2013.

f

http://www.economist.com/node/21552901


- 55 -

Presentation:


- 56 -


- 57 -


- 58 -


- 59 -


- 60 -


- 61 -


- 62 -


- 63 -


- 64 -


- 65 -

Presentation 3: Cybersecurity for Advanced Manufacturing – Securing the Digital Thread

Dr. Michael F. McGrath

National Defense Industrial Association (NDIA) Manufacturing Division


The intersection between cyber/cybersecurity and manufacturing is critical.

The presenter described three concerns expressed by manufacturers: theft,

alteration, and disruption. These closely mirror the traditional Confidentiality,

Integrity, and Availability (CIA) security objectives..

IT solutions don’t always fit the manufacturing world. Manufacturers often have a

mix of old and new equipment. The new can be secured, but securing the old is

much more difficult, and the old has to work with the new.

Culture change is necessary. Some participants indicated the industry has to change

– vendors will say anything to sell a product; manufacturing CEOs place

productivity over security, and CISOs don’t have much say regarding the

manufacturing operations.

Requirements are beginning to be seen – e.g. Defense Acquisition Regulations

System (DFARS) clause which requires flow down of responsibility to sub-

suppliers.

Some companies may be especially vulnerable as they may not recognize a risk.

Interconnected supply chains with a lot of data sharing may be especially

vulnerable if they use small company suppliers who don’t recognize cybersecurity

risks in manufacturing.

Manufacturing presents a unique set of problems combining cyber plus Industrial

Control System (ICS) vulnerabilities. Existing cybersecurity controls may not be

sufficient in a DDM environment. The problem is not unique to AM, but AM

presents a significant opportunity to build security in.

An NDIA working group regarding cybersecurity in manufacturing is currently

being formed.


- 66 -

Cybersecurity for Advance Manufacturing --

Protecting the Digital Thread

Dr. Michael McGrath

National Defense Industrial Association (NDIA) Manufacturing Division

Arlington, VA, USA

[email protected]

Abstract: Government and industry have

focused much effort on protecting technical

information in business and engineering

information systems. Relatively less action

has been taken to improve protection of

technical data in factory floor networks and

control systems, which are increasingly

subject to cyber threats. NDIA’s

Manufacturing Division and Cyber Division

jointly developed a White Paper in 2014 to

heighten awareness of the need for better

practices and technical solutions to protect

against theft of technical data transiting or

residing in manufacturing systems,

alteration of the data (thereby compromising

the physical parts produced), or interference

with reliable and safe production operations.

Direct digital manufacturing is not

inherently more vulnerable than other types

of manufacturing, but it presents a very

inviting target for would-be Intellectual

property thieves or counterfeiters -- the full

set of product and process information is

available in one place, and the barriers to

entry are low. This presentation offers

several recommendations for enhancing

protection of technical data in factory floor

networks and in direct digital manufacturing

systems in particular.


- 67 -

Presentation:


- 68 -


- 69 -


- 70 -


- 71 -


- 72 -


- 73 -


- 74 -


- 75 -

Panel: Opportunities for Secure 3D Printing

Robert Zollo (moderator)

President, Avante Technology

Dr. Claire Vishik


Andre Wegner

Founder and CEO, Authentize


There are many opportunities for building security into the design of DDM

machines abound.

During its development, security wasn’t high on the list of priorities for the ISO

Additive Manufacturing File Format (AMF)[3], but it has “hints” of security –

there is a space in the metadata where security could be inserted. In the future, it

may be added in.

The Cyber Physical Systems (CPS) Public Working Group (PWG) considers

manufacturing devices like 3D printers as cyber physical systems. AM devices are

similar in that they use the same protocols and firmware.

There are privacy concerns when considering cybersecurity controls. For example,

putting in automatic, machine-generated ID numbers for asset inventory or forensic

purposes could lead back to a particular printer and a particular person.

One of the biggest impacts of AM may be on the supply chain. Distributed

manufacturing with localized production can dramatically reduce logistics costs.

AM provides an opportunity to enhance the resilience and security of the supply

chain in ways not available before.

The biggest obstacles to cybersecurity in manufacturing include: awareness; the

culture; uninformed decision makers; loss of process control; people and

organizations not working together; not willing to invest in security.

Attendees disagreed as to whether the economy would need to provide an incentive

for organizations to include cybersecurity in their processes. Some attendees stated

that customers desire more secure solutions to protect their intellectual property and

systems. Other attendees disagreed but were uncertain whether the market could be

incentivized to be proactive or if solutions would always be reactionary.

Attendees and the panel stated that there were no on-going activities regarding

security standardization. It was noted that standards reduce costs significantly in

the semiconductor and other fields, but the standards processes around AM devices

have just begun and attendees were unsure how security standards could be applied.


- 76 -

“Virtual Part” Perspective on Cyber-Security Designing Security Components into 3D Printing Hardware, Software & Printed

Objects

Robert Zollo

President

Avante Technology, LLC

Bellevue, WA USA

[email protected]

I. INTRODUCTION

The author will provide a “ground up” view of security issues from the printer hardware and related control software perspective, and introduce the concept of the “virtual part”, a term for the software and meta data that define the item to be printed, and its revisions as it moves and evolves throughout it’s life in the integrated supply chains of future factories.

He will provide insight on how to employ the new ISO/ASTM standard for 3D printing file descriptions to begin building security components within the file meta data and use it with security functionality that can be designed in to the printer firmware and control software. He will propose some simple steps to begin building a cyber-security capable environment on the shop floor and in the engineering lab.

II. THE “BRILLIANT FACTORY” CONCEPT

A brief overview of the integrated “brilliant factory” of the future as described by GE in their recent white paper on DDM. The concept of integrating thousands of intelligent machines located in multiple locations by people within and without the manufacturing organization in a “completely transparent supply chain” is introduced. Security issues relating to the “virtual part” as it moves through the supply chain to the factory floor and back for revisions are highlighted.

III. THE “STATE OF THE PRACTICE”

A brief overview of some typical 3D printers will be

offered to highlight areas of potential breach of

security in the firmware, controlling software and the

file description software. Opportunities for

introducing simple security measures are identified.

IV. LEVERAGING ISO STANDARDS

An overview of two ISO standards relating to the

definition, transfer and use of 3D files is provided.

Ideas on how these standards may be used to begin

building some security mechanisms into the “virtual

part” package as it moves through the design and

supply chain.

V. INTEGRATING SMALL SHOPS FOR

SECURITY

Suggestions are made on how to implement a simple,

scalable, integrated security mechanism using

components embedded in the printer firmware,

control software, file management software, and file

description software that is applicable to small to

small manufacturing shops as well as enterprise scale

brilliant factories.

VI. INVITATION TO DIALOG

Panelists will be invited to comment on how the

suggested

security mechanisms might fit within a larger scale

security architecture in enterprise factories.

REFERENCES

1. M. Annunziata and S. Biller, “The Future of Work”, General

Electric white paper; 2014.

2. ISO/ASTM 52915 standard framework for an interchange format to address current and future needs of additive manufacturing; 2013

3. ISO IS14306 standard for viewing and sharing lightweight 3D product information: 2012.

mailto:[email protected]


- 77 -

Presentation by Robert Zollo:


- 78 -


- 79 -


- 80 -


- 81 -


- 82 -


- 83 -


- 84 -


- 85 -


- 86 -


- 87 -


- 88 -


- 89 -


- 90 -

Presentation by Claire Vishik:


- 91 -


- 92 -


- 93 -


- 94 -


- 95 -


- 96 -


- 97 -


- 98 -

Presentation by Andre Wegner:


- 99 -


- 100 -


- 101 -


- 102 -


- 103 -


- 104 -


- 105 -


- 106 -


- 107 -


- 108 -


- 109 -


- 110 -


- 111 -


- 112 -


- 113 -


- 114 -


- 115 -


- 116 -


- 117 -


- 118 -

3 Summary of Attendee Perceptions

This section summarizes attendee perceptions as gathered throughout the symposium, including

during presentations and through information gathering exercises. At the start of the symposium,

attendees were asked to anonymously list as many thoughts / items as they could under each of

the following categories:

Risks;

Challenges;

Existing Solutions, and

Potential / Theoretical Solutions.

20 percent of attendees submitted their responses, listed in Appendix A.

In addition, during the closing session, attendees were asked to identify thoughts / items under

the following categories:

Standards;

Guidance;

Tools, and

Gaps.

The responses from this exercise are listed in Appendix B.

Several attendees identified culture / humans as a significant risk or challenge to the

cybersecurity of DDM, and to cybersecurity in general. Cybersecurity education at all levels of a

manufacturing organization was desired. Changing the priorities and culture of manufacturing

organizations is challenging due to a lack of understanding of cybersecurity risks and benefits.

Business cases or examples were desired. A few attendees mentioned legal requirements as a

potential solution and there were a few comments questioning who bears the burden of the risk

of an attack – the IP owners, the vendor(s), or the government.

Threats to the integrity of designs and systems were a common thread in responses. Some

mentioned confidentiality of intellectual property as a concern and only a few identified

availability concerns. Software vulnerabilities were called out a few times, but most responses

focused on the final product. The nature of the digital supply chain was identified several times

as a challenge with attendees specifically calling out the volume and types of data to be protected

in a distributed and open manufacturing environment.

Quality control and event detection capabilities were desired. A few attendees mentioned the use

of encryption throughout the manufacturing process as a potential solution. Other potential /

desired technical capabilities identified by respondents included: distributed network security

solutions, authentication mechanisms, automated and real-time monitoring and control,

embedded security solutions, and residual data removal tools. It was stressed in responses and

throughout the symposium that any technical solution must be simple and easy and preferably

all-encompassing– “an easy button”.


- 119 -

Another common thread in responses was the suggestion for guidelines specific to DDM based

on NIST SP 800-53 [1], the NIST Cybersecurity Framework [2], existing ISO standards, and

industry best practices. Technical standards, such as protocols and formats, were also mentioned

by several as representing a gap, or opportunity, for improving cybersecurity. Attendees

provided the following list of standards and guidelines as providing a potential foundation for

future DDM-specific cybersecurity standards and guidelines.

IEC 62264-1:2013 - Enterprise-control system integration -- Part 1: Models and

terminology [4]

ISA-95, Enterprise-Control System Integration [5]

ISO / ASTM52915 – 13, Standard Specification for Additive Manufacturing File Format

(AMF) Version 1.1 [3]

ISO 10303 -242:2014, , Industrial automation systems and integration -- Product data

representation and exchange -- Part 242: Application protocol: Managed model-based

3D engineering [6]

ISO 14306:2012, Industrial automation systems and integration -- JT file format

specification for 3D visualization [7]

ISO 14739-1:2014, Document management -- 3D use of Product Representation

Compact (PRC) format -- Part 1: PRC 10001 [8]

ISO/IEC 27000:2014, Information technology -- Security techniques -- Information

security management systems -- Overview and vocabulary [9]

NAS 9924, Cybersecurity Baseline [10]

NIACAP-DIACAP (now obsolete, see DoDI 8510.01 and [11] CNSSP No. 22[12])

NIST Framework for Improving Critical Infrastructure Cybersecurity [2]

NIST IR 8023, Risk Management for Replication Devices [13]

NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information

Systems and Organizations [1]

NIST SP 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security [14]


- 120 -

4 Conclusions

Direct Digital Manufacturing is poised to revolutionize the manufacturing industry. A

collaborative public and private approach is necessary to improving the cybersecurity of DDM

processes and technology. This symposium was intended to be a step in that direction.

Although the presenters were from diverse backgrounds representing a variety of viewpoints,

each made similar points:

Cybersecurity risks to DDM are very real;

Cybersecurity threats are the Achilles heel of the current manufacturing revolution;

There is a real opportunity to make the manufacturing supply chain more secure than it

has ever been, and

The time to build cybersecurity in to the DDM process is now.

Attendees identified several risks and opportunities for building cybersecurity into DDM. Many

attendees identified the integrity of designs and machines as a major risk while a few also

mentioned intellectual property concerns. Gaps and potential solutions were grouped into four

categories:

Education / awareness of risks and cost/benefits;

Technical solutions such as encryption capabilities and network monitoring;

Technical standards such as a security option in existing standard file formats, and

Guidance / best practice documents based on existing NIST publications.

With its expertise in advanced manufacturing and information technology, NIST is well poised

to address these concerns. The NIST ITL has already developed cybersecurity guidance related

to Cyber Physical Systems and Industrial Control Systems. There is an opportunity to include

DDM cybersecurity considerations into future revisions of existing programs and publications.

Also, the National Initiative for Cybersecurity Education (NICE) has begun to look at how to

help manufacturers be more aware of cybersecurity risks that they may not have recognized.

Additionally, the National Cybersecurity Center of Excellence (NCCoE) uses existing standards

and technology to architect solutions to difficult cybersecurity problems and DDM may be a

candidate. Results from this symposium will help guide future efforts in these areas.


- A-1 -

Appendix A: Response Sheet Results

At the beginning of the symposium, attendees were asked to list as many items/thoughts as they

could under the following categories: Risks, Challenges, Existing Solutions, and Potential /

Theoretical Solutions. Attendees were not limited as to the scope of their responses and

encouraged to write whatever came to mind. The following is a compilation of the responses

received in each category. Responses are listed in alphabetical order and were transcribed as

closely as possible, including grammar, abbreviations, and spelling. References have been added

where possible and are included in Appendix F. An analysis of the responses, along with

responses in Appendix B, is provided in section 3 of this publication.

Risks:

Altering data to change specs of finish products

Availability

Components in sensitive applications may have unintended / undesirable performance

characteristics that are undetectable

Confidentiality

Corruption of imbedded software @ machine

Corruption of STL files

Damage of manufacturing equipment

Design tools vulnerability -> CAD & pre-cad part of

Detection of inherent flaw - pilphereal IP is analyzed for existing flaw

Ensure the small & medium enterprise have the tools are reasonable price point

EtherCat or Industrial IP security?

Getting tools to the right level capability at right price / affordable

Government entities each seem to have their own program for cyber security. The risk is

two-fold: (1) they are talking, but not WORKING together. Wasting resources and efforts

(2) Government is way behind industry, and not bringing them in to address this

substantial gap

Integrity

IT/OT convergence --> how do I secure this… …

IVV of file transport from central storage to production facility

Modification of model

OEMs not ensuring security (& keeping backdoors open for "maintenance")

Tainted products (additional functionality)

The human aspect (social engineering)

Theft of intell property

Theft of IP

Treats to RF specturm - wireless is increasing the comms component of choice on factory

floor. 802.3, 802.11ad etc

Understanding 3D printer, direct digital in the context of 3D phenomenon [i.e. same files

could be used for manufacturing or decision support

Uneducated workforce


- A-2 -

Un-maintained manufacturing equipment (outdated OS, virus definitions, firewall,

firmware, etc.)

Challenges:

3D, HD, FMV

Automated

Automation security

Balancing benefits of open-source / open architecture machines & file formats with

dangers of cyber vulnerabilities

Digital rights management / digital asset management

Digital supply chain

DISTRIBUTED manufacturing --> factory to factory

eCommerce --> Will be part of the supply chain and will provide its own set of

challenges

Educating workforce about cyber-physical concerns

Embedded system / PLC, SCADA, ACS security

Front end costs of cyber controls are hard to justify

Having the right folks be the custodian of data / system

How to capture design intent for validation / certification

Integration of various data warehouse within enterprise that have to interface with each

other (i.e. PDM/PLM, MRP/ERP/MES and Accounting/HR) to provide the integrity,

availability, & confidentiality

Intellectual property management

Lack of business case

Manufacturing systems are not often updated (patches, firmware, more IT functionality

than needed)

Mfg culture, gap to IT culture

Modeling and simulation precursor to decision to manufacture and design for

manufacturing

MOM [Manufacturing Operations Management Security]

Organizational change management

PCII - protected critical infrastructure Information

PMI - production Manufacturing Information

Poor acquisition policy that doesn't drive security

Poor secure engineering design techniques (hardware & software)

Prioritization of what is really important

Quality control of microarchitecture

Real-Time systems (synchrophasor, EtherCAT, etc)

Role based access for M2M (machine to machine) exchanges

Security as a requirement for the PLC and PLC of infrastructure and PLC of FW/SW

Sensor network security

The value proposition

Trust


- A-3 -

Understand tools, techniques and processes to protect fidelity from design thru

production - what tool, at what cost, at what reduction in efficiency

Volume of 3D digital media

Existing Solutions

5 layer manufacturing protocol stack [5, 4]

Encryption

Fundamental best practices are available in 800 series SPs and some contemporary IT

security publications

NIST framework is good starting point

Training / awareness

Use of existing protocol for traditional manufacturing

Potential / Theoretical Solutions

20 Critical controls for manufacturers

Anecdotal

Benchmark DoD/DOE defense contractors for best practices

Content distribution networks - edge computing security

Encrypt lifecycle

Encrypted streaming

Factory of the future dialog

Focus on model based ecosystems: provides an architecture and governance

IACAP-DIACAP - 800-134 (guess at #) - DoD continues to evolve "mandatory" standard

Increased use of encryption

Need a single entity that government can use to advance itself in this area. To succeed

needs non-government owner who can bring all gov. entities together pooling resources,

and incorporate industry to get current best practices. Suggest DMDLL as they are

already doing a project on this involving government and industry. Possibly a more

comprehensive follow on project

NEED AN EASY button for manufacturing floor

NTSB and auto - safety - manufacturers are responsible for standards - policy and law

follow recommendation but a federal law was necessary to institute the mandate for

commercial sector

Standards are probably the best way of balancing concerns of vulnerabilities, openness, &

privacy (& business)

What risk reduction strategies, tools, and solutions exist? - A primer for manufacturing

would be great!! Perhaps a good project for NAMII?

When we take people out of the loop a lot of vulnerabilities go away


- B-1 -

Appendix B: Working Session Results

During the working session, attendees were asked to identify any standards, guides, or tools that

could be applied to cybersecurity in DDM. They were also asked to identify any gaps in those

areas, or anything that was missed during the symposium. Attendees were not limited as to the

scope of their responses. The following is a compilation of the responses received in each

category. Responses are listed in alphabetical order and were transcribed as closely as possible,

including grammar, abbreviations, and spelling. References have been added where possible. An

analysis of the responses, along with responses in Appendix A, is provided in section 3 of this

publication.

Standards:

AMF & ISO JT [7]

IEC [16]

IEEE [17]

ISO ? Dealing with PDF / PRC format [8]

ISO [18]

ISO 10303 AP 242 [6]

ISO 27000 [9]

ITSI

NAS 9924 [10]

National Aerospace STDs published by Aerospace Industries Assoc. www.aia-nas.org

[19]

NIST 800-53 [1]

Sector SIGs

Security Spec for ISO AMF standard [3]

See references to draft CPS PWG working group report [20]

Step 242 [6]

Guides:

Cyber awareness for the shop floor

NIST SP 800-82 [14]

Overlay for 800-53 [1] is important in bridging IT to OT thinking

Risk Management adapted for DDM

Tools:

DEA tools

NICE [21]

Residual data removal tool

Threat data sharing mechanisms

http://www.aia-nas.org/


- B-2 -

Gaps:

Authentication of Articles Connected to IoT

Awareness of costs associated with NOT integrating security

Breach Disclosure

Drivers for secure hardware & software design

Encryption approaches

FBI is an active player in cybersecurity

Flaw hack marketplace

Formats

Integration approaches

International laws and agreement to prosecute the sources of cybersecurity event and bad

actors

Manufacturing Protocol Stack (Purdue) [15]

Material quality standards - powder (distribution, properties), polymer

NEED a guide for Business Case Analysis (for cybersecurity in mfg); NEED data/case

examples to support

Rule of unfettered Innovation / open software mode

Transport protocols

Who owns the problem

Who owns what? - IP ownership

Who will own the solution - if industry doesn't does it roll over to government


- C-1 -

Appendix C: Speaker Biographies

The following are speaker biographies as included in the agenda for the symposium, in

presentation order.

Michael F. Molnar



Mike Molnar likes to be introduced simply as "a manufacturing guy from industry" with nearly

30 years of experience in advanced manufacturing. To help provide an industry focus in 2011 he

was named the first Chief Manufacturing Officer of the National Institute of Standards and

Technology. Today Mike leads the NIST Advanced Manufacturing Program Office for

extramural manufacturing programs and also serves as the director of the interagency Advanced

Manufacturing National Program Office. As called for by the Advanced Manufacturing

Partnership initiative, the AMNPO's mission is to foster industry-led partnerships and to form a

"whole of government" approach to strengthen competitiveness and innovation in U.S.

manufacturing.

Mike's experience includes leadership roles in advanced manufacturing, metrology,

manufacturing systems, quality, technology development, sustainability and industrial energy

efficiency. His credentials include service as a Federal Fellow in the White House Office of

Science and Technology Policy, and election as Fellow of both the American Society of

Mechanical Engineers and the Society of Manufacturing Engineers. He is a licensed Professional

Engineer, a Certified Manufacturing Engineer and a Certified Energy Manager. He received a

Master of Business Administration from the University of Notre Dame, and both a Master of

Science in Manufacturing Systems Engineering and a Bachelor of Science in Mechanical

Engineering from the University of Wisconsin. He is an active member of professional societies,

consortia and volunteer organizations.



Christopher B. Williams is an Associate Professor with a joint appointment with the Department

of Mechanical Engineering and the Department of Engineering Education at Virginia Tech. He is

the Director of the Design, Research, and Education for Additive Manufacturing Systems

(DREAMS) Laboratory and Associate Director of the Macromolecules & Interfaces Institute.

His research contributions have been recognized by six Best Paper awards at international

design, manufacturing, and engineering education conferences. He is a recipient of a National

Science Foundation CAREER Award (2013), the 2012 International Outstanding Young

Researcher in Freeform and Additive Fabrication Award, and the 2010 Emerald Engineering

Additive Manufacturing Outstanding Doctoral Research Award. Chris holds a Ph.D. and M.S. in

Mechanical Engineering from the Georgia Institute of Technology (Atlanta, Georgia) and a B.S.

with High Honors in Mechanical Engineering from the University of Florida (Gainesville,

Florida).


- C-2 -

Scott Zimmerman CISSP-ISSEP


Dominick Glavach CISSP, GCIH


Scott Zimmerman, CISSP-ISSEP is a Principal Technical Advisor at Concurrent Technologies

Corporation with 20 plus years of Cyber Security experience. Mr. Zimmerman specialized

expertise includes cyber security, cloud/mobile computing and systems engineering. Mr.

Zimmerman’s education includes a BS in Management Information Systems and AS in

Electronic/Computer Technology. He is a Certified Information Systems Security Professional

(CISSP); Information Systems Security Engineering Professional (ISSEP).

Mr. Glavach is a Principle Information Systems (IS) Security Engineer and CISO at Concurrent

Technologies Corporation (CTC). He serves as the Cyber Security technical lead in CTC's

Enterprise Infrastructure, provides CTC‘s clients with Cyber technical leadership and Subject

Matter Expertise (SME). Mr. Glavach received his BS in Computer Science from the Indiana

University of Pennsylvania, is a Certified Information System Security Professional (CISSP), an

active member of the Information Assurance Technology Analysis Center SME Program and

member of the Cloud Security Alliance (CSA).

The speakers specialize in cyber attack methods, attack warning and detection, and cyber

countermeasures. They have presented numerous talks on cloud forensics, cyber adversaries and

advanced persistent threats to a wide range of public and government audiences.

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific

research and development professional services organization providing innovative management

and technology-based solutions to government and industry. Established in 1987, CTC operates

from more than 50 locations with a staff of over 1,400 employees. As a nonprofit 501(c)(3)

organization, CTC’s primary purpose and programs are to undertake applied scientific research

and development activities that serve the public interest. We conduct impartial, in-depth

assessments and technical evaluations that emphasize increased quality, enhanced effectiveness,

and rapid technology transition and deployment. CTC offers a broad range of services and

capabilities, coupled with real-world experience. For more information about CTC, visit

www.ctc.com.

Dr. Michael McGrath

NDIA Manufacturing Division

Michael McGrath is an independent consultant who provides analytic support for government

and industry technology programs. He is also a Senior Technical Advisor (and former Vice

President) at Analytic Services Inc. (ANSER), a not-for-profit government services organization.

He previously served as the Deputy Assistant Secretary of the Navy for Research, Development,

Test and Evaluation (DASN(RDT&E)), where he was a strong proponent for improvements in

technology transition, modeling and simulation, and test and evaluation. In prior positions, he

http://www.ctc.com/


- C-3 -

served as Vice President for Government Business at the Sarnoff Corporation, ADUSD for Dual

Use and Commercial Programs in the Office of the Secretary of Defense (OSD), Assistant

Director for Manufacturing at the Defense Systems Research Projects Agency (DARPA-DSO),

and Director of the DoD Computer-aided Acquisition and Logistics Support (CALS) program.

While at DARPA, he managed the Affordable Multi-Missile Manufacturing Program and the

Agile Manufacturing program. He was also heavily involved in DARPA’s dual-use Technology

Reinvestment Project and has been a strong advocate for defense use of commercial technology

advances. His early government career included positions in Logistics Management at Naval Air

Systems Command and in Acquisition Management in OSD. He is a Senior Fellow at the

Potomac Institute for Policy Studies, a director of South Carolina Research Authority Applied

R&D, and a member of the National Research Council’s Materials and Manufacturing Board, the

Defense Materials, Manufacturing and Infrastructure Committee (chair), the Penn State ARL

Materials and Manufacturing Advisory Board, and the Georgia Tech Manufacturing Institute

Advisory Board.

Dr. McGrath holds a BS in Space Science and Applied Physics and an MS in Aerospace

Engineering from Catholic University, and a doctorate in Operations Research from George

Washington University.

Robert Zollo

President, Avante Technology, LLC

Mr. Zollo is President and Founder of Avante Technology, LLC, a privately held company that

develops, markets and licenses advanced 3D printing technology to 3D printer OEM,

manufacturers and engineering firms. Prior to that he was President and Founder of Software

Architects, Inc. a developer of electronic systems for OEM in a variety of industries, including

3D printing, digital imaging and optical recording. As Chairman of the Optical Storage

Technology Association, Mr. Zollo was responsible for the development of ISO 13346, the

international standard that defines the digital file format used in all DVD’s, Blu-ray discs, CAT

scan, MRI and digital X-ray systems. He also led the development of four patents relating to

digital file management, image manipulation and file interoperability, and is the inventor of

a patent pending method for controlling the printing of new engineering grade composite

materials in FDM printers. Mr. Zollo holds a Bachelor of Science degree in Engineering from the

U.S. Military Academy at West Point, an MBA from Southern Illinois University and conducted

his graduate technical studies at the University of Southern California’s school of engineering.

He is currently working on enhancements to the new ISO AMF standard defining the 3D file

description language for additive manufacturing applications.

Dr. Claire Vishik



- C-4 -

Dr. Claire Vishik’s work at Intel Corporation focuses on hardware security, Trusted Computing,

privacy enhancing technologies, some aspects of cryptography and related policy issues. Claire is

a member of the Permanent Stakeholders Group (Advisory Board) of ENISA, the European

Network and Information Security Agency. She is an advisor to a number of cybersecurity R&D

and policy projects, initiatives, and organizations, including the cryptography program at the

University of Bristol or Oxford Cybersecurity Center for Capacity Building and is on the

leadership teams of several organizations and initiatives tasked with the development of R&D

strategies in cybersecurity in the US, Europe, and beyond. Claire is active in standards

development and is on the Board of Directors of the Trusted Computing Group and on the

Council of the Information Security Forum. Claire received her PhD from the University of

Texas at Austin. Prior to joining Intel, Claire worked at Schlumberger Laboratory for Computer

Science and AT&T Laboratories. Claire is the author of numerous papers and reports and an

inventor on 30+ pending and granted U.S. patents.

Andre Wegner

Co-founder & CEO, Authentise

Andre Wegner is co-founder and CEO of Authentise (www.authentise.com), the licensing and

services platform for Distributed Manufacturing. Authentise secure streaming and quality

assurance technology for 3D printing enables design owners to share their digital manufacturing

designs with confidence, and get paid per print. Authentise Consulting also assists Fortune 100

corporations put 3D printing at the heart for their business. He is a frequent speaker on emerging

intellectual property issues in 3D Printing and opportunities of distributed manufacturing at

events such as Singularity University, Rapid, Designer of Things, Inside 3D Printing, 3D Print

Show, Pacific Crest & WIRED. He has been quoted in publications such as BBC News, MIT

Tech Review, Chicago Tribune, and Bloomberg. Prior to founding Authentise he managed a

venture capital fund in Nigeria and advisory services in India. He is a graduate of St. Andrews

University (UK), ESSEC (France) and Singularity University (California).

http://www.authentise.com/


- D-1 -

Appendix D: Attendees List

Registrant Name Organization

Clara Asmail NIST MEP

Lawrence Balash Nova Corporation

David Barrett Department Of Navy-Chief Of Naval Operations

Dean Bartles UI Labs

Michelle Bezdecny Anser - OSD/Mantech

Allen Egon Cholakian IRDFproject Harvard / Columbia

Bill Coccoli NGC

Thomas Conkle G2, Inc.

Khershed Cooper NSF

Charles Crum Office Of Inspector General, Us Postal Service

Nicholas Deliman MDA Information Systems

Tuong-Vy Do

Gavin Garner University Of Virginia

Dom Glavach

Daniel Green Space And Naval Warfare Systems Command

Ryan Hayleck NAVSEA

Paul Huang NIST

Brian Hubbard G2, Inc.

Michele Hughes

Lawrence John Analytic Services Inc.

Waide Jones Lockheed Martin

Ben Kassel Naval Sea Systems Command

Bruce Kramer NSF

Francis Lee Howard County Public School Systems

Michael Mcgrath Analytic Services Inc (Anser)

Mike Molnar NIST

Ed Morris NCDMM

Wesley Old Coyote State Of Montana

Yaowe Ong CSC


- D-2 -

Celia Paulsen NIST

Al Payne Theta Solutions

Paul Petronelli Palm Associates, Inc.

James Rentsch Aerospace Industries Association

Chris Root NAVAIR Fleet Readiness Center Southwest

Scott Storms NAVSSES

Rebecca Taylor NCMS

Joe Veranese NCDMM

Patrick Violante NAVSSES

Claire Vishik Intel

R Wachter

Andre Wegner Authentise Inc

Eric Wilcox SAIC

Craig Young DDC-ITS

Scott Zimmerman CTC

Robert Zollo Avante Technology, Llc


- E-1 -

Appendix E: Acronyms

ACS Access Control System

AM Additive Manufacturing

AMF Additive Manufacturing File Format

CAD Computer Aided Design

DDM Direct Digital Manufacturing

DEA Data envelopment analysis

DMDII Digital Manufacturing and Design Innovation Institute

DoD Department of Defense

DOE Department of Energy

ERP Enterprise resource planning

FMV Full Motion Video

FW Firmware

HD High Definition

IoT Internet of Things

IP Intellectual Property

ISO International Organization for Standardization

IT Information Technology

IVV Independent Verification and Validation

MES Manufacturing Execution System

MOM Manufacturing Operations Management

MRP Material requirements planning

NAMII National Additive Manufacturing Innovation Institute

NIST National Institute of Standards and Development

NICE National Initiative for Cybersecurity Education

NNMI National Network for Manufacturing Innovation

NTSB National Transportation Safety Board

OEM Original Equipment Manufacturer

OS Operating System


- E-2 -

OT Operations/Operational Technology

PCII Protected Critical Infrastructure Information

PDM Product data management

PLC Programmable Logic Controller

PLM Product Lifecycle Management

PMI Production Manufacturing Information

RF Radio Frequency

SCADA Supervisory Control and Data Acquisition

SIG Special Interest Group

STD Standard

STL Stereolithography

SW Software


- F-1 -

Appendix F: References

[1] NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for

Federal Information Systems and Organizations, Gaithersburg, Maryland, 2013,

http://dx.doi.org/10.6028/NIST.SP.800-53r4

[2] Cybersecurity Framework, National Institute of Standards and Technology,

http://www.nist.gov/cyberframework/, 2014

[3] ISO / ASTM52915 - 13, Standard Specification for Additive Manufacturing File Format

(AMF) Version 1.1, Astm, 2013, http://www.astm.org/Standards/ISOASTM52915.htm

[4] IEC 62264-1:2013, Enterprise-control system integration -- Part 1: Models and

terminology, International Organization for Standardization, 2013,

http://www.iso.org/iso/catalogue_detail.htm?csnumber=57308

[5] ISA-95, Enterprise-Control System Integration, International Society of Automation,

https://www.isa.org/isa95/

[6] ISO 10303-242:2014, Industrial automation systems and integration -- Product data

representation and exchange -- Part 242: Application protocol: Managed model-based

3D engineering, International Organization for Standardization, 2014,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=5762

0

[7] ISO 14306:2012, Industrial automation systems and integration -- JT file format

specification for 3D visualization, International Organization for Standardization,2012,


[8] ISO 14739-1:2014, Document management -- 3D use of Product Representation

Compact (PRC) format -- Part 1: PRC 10001, International Organization for

Standardization, 2014, http://www.iso.org/iso/catalogue_detail.htm?csnumber=54948

[9] ISO/IEC 27000:2014, Information technology -- Security techniques -- Information

security management systems -- Overview and vocabulary, International Organization for

Standardization, 2014, http://www.iso.org/iso/catalogue_detail?csnumber=63411

[10] NAS9924, Cybersecurity Baseline, Aerospace Industries Association,2013,

https://global.ihs.com/doc_detail.cfm?&rid=AIA&input_doc_number=NAS%209924%2

http://dx.doi.org/10.6028/NIST.SP.800-53r4

http://www.nist.gov/cyberframework/

http://www.astm.org/Standards/ISOASTM52915.htm


https://www.isa.org/isa95/





http://www.iso.org/iso/catalogue_detail?csnumber=63411

https://global.ihs.com/doc_detail.cfm?&rid=AIA&input_doc_number=NAS%209924%2CNA&item_s_key=00601403&item_key_date=861003&input_doc_number=NAS%209924%2CNA&input_doc_title=#abstract


- F-2 -

CNA&item_s_key=00601403&item_key_date=861003&input_doc_number=NAS%209

924%2CNA&input_doc_title=#abstract

[11] Department of Defense Instruction (DoDI) 8510.01, Risk Management Framework

(RMF) for DoD Information Technology (IT), Department of Defense, 2014,

http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf

[12] Policy on Information Assurance Risk Management for National Security Systems,

Committee on National Security Systems (CNSS), CNSSP No. 22, 2012,

http://www.ncix.gov/publications/policy/docs/CNSSP_22.pdf

[13] Dempsey, Kelley and Paulsen, Celia. NIST Internal Report (IR) 8023, Risk Management

for Replication Devices, National Institute of Standards and Technology, 2015,


[14] NIST Special Publication (SP) 800-82 Revision 2, Guide to Industrial Control Systems

(ICS) Security, second public draft, National Institute of Standards and Technology,

Gaithersburg, Maryland, 2008, http://csrc.nist.gov/publications/drafts/800-

82r2/sp800_82_r2_second_draft.pdf

[15] Williams, Theodore J. "The Purdue Enterprise Reference Architecture", Computers in

Industry, 24 (1994), pp. 141-158, http://dx.doi.org/10.1016/0166-3615(94)90017-5.

[16] International Electrotechnical Commission (IEC), http://www.iec.ch/, 2015

[17] IEEE, https://www.ieee.org/index.html, 2015

[18] ISO - International Organization for Standardization, http://www.iso.org/iso/home.html,

2015

[19] Aerospace Industries Association, National Aerospace Standards Aerospace Industries

Association, http://www.aia-aerospace.org/national_aerospace_standards/, 2015

[20] Cyber-Physical Systems Public Working Group, http://www.cpspwg.org/, 2015

[21] The National Initiative for Cybersecurity Education (NICE), National Institute of

Standards and Technology, http://csrc.nist.gov/nice/, 2015



http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf

http://www.ncix.gov/publications/policy/docs/CNSSP_22.pdf


http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf

http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf

http://dx.doi.org/10.1016/0166-3615(94)90017-5

http://www.iec.ch/

https://www.ieee.org/index.html

http://www.iso.org/iso/home.html

http://www.aia-aerospace.org/national_aerospace_standards/

http://www.cpspwg.org/

http://csrc.nist.gov/nice/

cybersecurity for direct digital manufacturing- proceedings

Technology

technology nist

computer systems technology

technology attn

technology willie

physical standards

technology internal

federal information

standards infrastructure